Bug 1154862 - (CVE-2019-17498) VUL-0: CVE-2019-17498: libssh2_org: integer overflow in a bounds check might lead to to disclose sensitive information or cause a denial of service
(CVE-2019-17498)
VUL-0: CVE-2019-17498: libssh2_org: integer overflow in a bounds check might ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/245491/
CVSSv3:SUSE:CVE-2019-17498:5.4:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-23 13:29 UTC by Alexandros Toptsoglou
Modified: 2020-06-30 07:24 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Backported patch for version <= 1.8.0 (7.26 KB, patch)
2019-10-24 14:42 UTC, Pedro Monreal Gonzalez
Details | Diff
make check command detail output (13.94 KB, text/x-log)
2019-11-05 10:56 UTC, ming li
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-10-23 13:29:54 UTC
CVE-2019-17498

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c
has an integer overflow in a bounds check, enabling an attacker to specify an
arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH
server may be able to disclose sensitive information or cause a denial of
service condition on the client system when a user connects to the server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17498
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17498.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498
https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480
https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94
Comment 1 Alexandros Toptsoglou 2019-10-23 13:37:21 UTC
Tracked as affected:

SUSE:SLE-11:Update
SUSE:SLE-11-SP4:Update 
SUSE:SLE-12:Update
SUSE:SLE-15:Update
Comment 2 Pedro Monreal Gonzalez 2019-10-23 14:09:08 UTC
Upstream commit:
   https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
Comment 4 Pedro Monreal Gonzalez 2019-10-23 17:45:30 UTC
Factory submission:
    https://build.opensuse.org/request/show/742231
Comment 5 Pedro Monreal Gonzalez 2019-10-24 14:42:41 UTC
Created attachment 822416 [details]
Backported patch for version <= 1.8.0

Version <= 1.8.0 of libssh2_org does not include the struct string_buf, and the functions _libssh2_check_length(), _libssh2_get_u32() and _libssh2_get_string() which form part of the fix for CVE-2019-17498. I have included them for forward compatibility.
Comment 7 ming li 2019-11-05 10:56:13 UTC
Created attachment 823363 [details]
make check command detail output

I'm testing this bug, and I found an error when compiling the latest source package for libssh2 and performing make check on the sles11sp4 system, as shown below:

# zypper ar -f http://download.suse.de/ibs/SUSE:/Maintenance:/13041/SUSE_Updates_SLE-SERVER_11-SP4-LTSS_x86_64/ test

# zypper si -r test libssh2_org

# rpmbuild -ba SPECS/libssh2_org.spec

# make check
...
./../docs/libssh2_sftp_fstatvfs.3
zsoelim: can't open man3/libssh2_sftp_statvfs.3: No such file or directory
zsoelim: -:1: warning: failed .so request
...
FAIL: mansyntax.sh
Fingerprint: 86 AD B2 21 33 60 65 3D 9A 29 86 DE 22 99 DA 18 CC BA D3 AC 
Authentication methods: publickey,password,keyboard-interactive
	Authentication by public key succeeded.
PASS: ssh2.sh
===========================================
1 of 3 tests failed
Please report to libssh2-devel@cool.haxx.se
===========================================
make[2]: *** [check-TESTS] Error 1
make[2]: Leaving directory `/usr/src/packages/BUILD/libssh2-1.4.3/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/usr/src/packages/BUILD/libssh2-1.4.3/tests'
make: *** [check-recursive] Error 1

This error was also present in the previous source package (libssh2_org-1.4.3-17.9.1.src.rpm), attached is the make check command detail output.
Comment 8 ming li 2019-11-05 10:58:21 UTC
This problem does not exist on sles12 and sles15 systems.
Comment 9 Swamp Workflow Management 2019-11-06 14:13:10 UTC
SUSE-SU-2019:2900-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libssh2_org-1.8.0-4.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-11-06 14:17:04 UTC
SUSE-SU-2019:14206-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libssh2_org-1.4.3-17.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libssh2_org-1.4.3-17.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Pedro Monreal Gonzalez 2019-11-06 17:36:01 UTC
(In reply to ming li from comment #8)
> This problem does not exist on sles12 and sles15 systems.

Do you have installed all the build required dependencies? According to the error message, it looks like it could be missing in your testing system this one:
    BuildRequires:  man
Comment 12 ming li 2019-11-07 04:13:20 UTC
(In reply to Pedro Monreal Gonzalez from comment #11)
> (In reply to ming li from comment #8)
> > This problem does not exist on sles12 and sles15 systems.
> 
> Do you have installed all the build required dependencies? According to the
> error message, it looks like it could be missing in your testing system this
> one:
>     BuildRequires:  man

I should have all the dependencies installed, I found that the problem was probably due to the fact that some parameters of the /usr/bin/nroff command were not supported on the sles11 system, resulting in too many warnings when the mansyntax.sh script was run, and an error occurred in the libssh2_sftp_fstatvfs.3 file, I have checked it preliminarily, but I don't quite understand why only this one file will report an error. which ultimately caused the check to fail.

e.g.:
# sh -x mansyntax.sh
...
+ echo /usr/src/packages/BUILD/libssh2-1.4.3/tests/../docs/libssh2_sftp_fstatvfs.3
/usr/src/packages/BUILD/libssh2-1.4.3/tests/../docs/libssh2_sftp_fstatvfs.3
++ LANG=en_US.UTF-8
++ MANWIDTH=80
++ man -M /usr/src/packages/BUILD/libssh2-1.4.3/tests --warnings -E UTF-8 -l /usr/src/packages/BUILD/libssh2-1.4.3/tests/../docs/libssh2_sftp_fstatvfs.3
+ warnings='zsoelim: can'\''t open man3/libssh2_sftp_statvfs.3: No such file or directory
zsoelim: -:1: warning: failed .so request
/usr/bin/nroff: invalid option -wmac'
+ '[' -n 'zsoelim: can'\''t open man3/libssh2_sftp_statvfs.3: No such file or directory
zsoelim: -:1: warning: failed .so request
/usr/bin/nroff: invalid option -wmac' ']'
+ echo 'zsoelim: can'\''t open man3/libssh2_sftp_statvfs.3: No such file or directory
zsoelim: -:1: warning: failed .so request
/usr/bin/nroff: invalid option -wmac'
zsoelim: can't open man3/libssh2_sftp_statvfs.3: No such file or directory
zsoelim: -:1: warning: failed .so request
/usr/bin/nroff: invalid option -wmac
+ ec=1

I tried to remove the wrong file and remove the warning parameter of the command in the mansyntax.sh script so that I could check the pass:

# mv docs/libssh2_sftp_fstatvfs.3 /tmp

# vim mansyntax.sh
  warnings=$(LANG=en_US.UTF-8 MANWIDTH=80 man -M "$srcdir" -E UTF-8 -l "$manpage" 2>&1 >/dev/null)
//remove the --warnings parameter

# make check
...
PASS: mansyntax.sh
Fingerprint: 86 AD B2 21 33 60 65 3D 9A 29 86 DE 22 99 DA 18 CC BA D3 AC 
Authentication methods: publickey,password,keyboard-interactive
	Authentication by public key succeeded.
PASS: ssh2.sh
==================
All 3 tests passed
==================

I submitted a related https://bugzilla.suse.com/show_bug.cgi?id=1155977 yesterday as a reference.
Comment 13 Swamp Workflow Management 2019-11-08 20:12:33 UTC
SUSE-SU-2019:2936-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libssh2_org-1.4.3-20.14.1
SUSE OpenStack Cloud 8 (src):    libssh2_org-1.4.3-20.14.1
SUSE OpenStack Cloud 7 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP4 (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libssh2_org-1.4.3-20.14.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libssh2_org-1.4.3-20.14.1
SUSE Enterprise Storage 5 (src):    libssh2_org-1.4.3-20.14.1
SUSE CaaS Platform 3.0 (src):    libssh2_org-1.4.3-20.14.1
HPE Helion Openstack 8 (src):    libssh2_org-1.4.3-20.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-11-11 20:12:56 UTC
openSUSE-SU-2019:2483-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
openSUSE Leap 15.1 (src):    libssh2_org-1.8.0-lp151.6.3.1
Comment 15 Swamp Workflow Management 2019-11-25 17:12:09 UTC
SUSE-SU-2019:14226-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.18.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-06-24 13:18:49 UTC
SUSE-SU-2019:2900-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1154862
CVE References: CVE-2019-17498
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise Server 15-LTSS (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libssh2_org-1.8.0-4.10.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libssh2_org-1.8.0-4.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Alexandros Toptsoglou 2020-06-30 07:24:13 UTC
Done